SOC Warning: Stealthy Stegoloader Can Evade Analysis Tools
By Lee Tibbals and Brian Lowe
An interesting relic from the past came to visit recently in the form of a threat called Steganography. Steganography is a well-known and ancient practice of concealing a file, or a message inside of another file or message.
The first recorded uses of steganography are accepted to have been around 440 BC in ancient Greece, where a message was tattooed on the shaven head of a servant, then transmitted after the hair grew back. The decoding took place after the head was shaved, revealing the message. Other forms at the time included writing a secret message on a piece of wood and then covering it with wax and inscribing an innocent message in the wax.
Given the past successes of steganography, it should be of no secret that modern day steganography, or Digital Steganography, poses a very real threat.
This week, the Sword & Shield Security Operations Center discovered events of digital steganography called Gatak/Stegoloader from several of our Managed Security customers. Stegoloader, also known as Win32/Gatak.DR (Microsoft) and TSPY_GATAK.GTK (Trend Micro) has been around since late 2013 when payloads began to be submitted to VirusTotal, a tool from Google. Stegoloader, is the result of improvements made over prior iterations of digital steganography related malware such as the Duqu and Zeus/Zbot malware families. Those malware families tended to append encrypted configuration files to an image file for exfiltration. Content filtering rules made this technique easier to block and the current iteration has found a way around them.2
The Gatak/Stegoloader technique is currently seen in portable network graphics (.PNG) files, (notably PNG-24 because of its use of the Alpha channel for defining the transparency of pixels), completely embedded into the bit layers of the file and very difficult to detect as seen in the image below.
Stegoloader has a modular design that is credited with helping it evade detection by only engaging future modules after certain criteria have been met. This begins with the Deployment module; which downloads and launches the main module and follows through to the Main module. Prior to enacting other modules, Stegoloader checks to see if it is running in a VM or an analysis environment. If it detects certain processes such as the ones listed in the table below, it will terminate and not execute its main code.
Table 1: Strings causing Stegoloader to terminate. Credit: SecureWorks
Additionally, it will dynamically construct the embedded binary strings on the program stack before being used, thereby ensuring the lack of strings being stored in clear text inside the body of the malware, and also slowing down, as well as, limiting detection. It should be noted that at every stage of execution, the deployment module reports its status to a C2 server using HTTP GET requests as seen here:
After predetermined conditions have been met, the deployment module will then download a PNG image from a legitimate hosting site and use gdiplus to decompress the image, access each pixel, and extract the least significant bit from the color of each pixel. Neither the code nor the image is stored to disk, but executed and housed in memory. 1 After the main module is downloaded, the deployment module remains hibernated until completion of the main modules execution, when the deployment module will send a final report to its C2 server. The receipt of the final report by the C2 will signal the successful completion of both the deployment and main modules and will then terminate the deployment module.
Pending the final report, which will include certain information from the infected machine, the cyber criminal can then determine which if any additional modules to deploy. The additional modules will also be deployed directly to memory, and never saved to disk, again evading traditional means of detection.
Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. There are likely more Stegoloader modules than CTU researchers have observed, possibly used by threat actors to ensure persistence or to gain access to additional resources.1
Sword & Shield continues to work on mechanisms to thwart these and other types of cyber-criminal activity for our customers. Tearing down the code on these types of malicious activity helps identify counter measures to deploy for the protection of our customers computing and network resources.
Lee Tibbals and Brian Lowe are Sword & Shield Security Operations Center specialists. Our SOC analysts administer and maintain security measures focused on application, web and infrastructure security for our clients. The analysts provide security analytics and assistance with security support requests.